Can We See a Sample Report from a Penetration Test?

If you are thinking about engaging a security consulting company, at some point you will probably be wondering what you will get out of it. Asking to view a sample report is a common request. After all, the report will contain your take-aways, making it one of the most critical parts of the engagement. In fact, you should think twice about working with any security company who refuses this type of request.

Looking for ours? It's right here!

Not all reports are the same, so it is important to review the sample to determine if it meets your needs. If it doesn't, don't be afraid to ask for modifications. Many security companies (including us, of course) are more than happy to make accommodations as needed.

What's in the report?

Sections covered:

• An executive summary
• Narrative of the testing
• Findings and Recommendations
• Strategic Guidance

Details within the findings should cover:

• Explanation of the issue found
• Details of why the issue is a problem, including its risk rating
• Replication details so you can verify this finding and test for it in the future
• Recommendations on remediating the issue

For more details on deliverables, feel free to read What is in a Penetration Test Report article.

We want to have a sample that is as realistic as possible, without needing to redact details. The report below used a known vulnerable application, OWASP® Juice Shop. This target allows the report to have the information that is customarily redacted.

To be clear, though, we did not perform an exhaustive test of Juice Shop. There are a couple of reasons. First, no one wants to read the enormous number of pages that would generate. Second, we did not want to ruin the fun of testing Juice Shop during a training class or as a hobby.

The sample report is for a web penetration test. If you have any questions, feel free to reach out and ask.